CertMaster Practice: 4.0 Security Operations Flashcards
During a simulation of an incident, an analyst observed that the SIEM system generated several alerts that were false positives. What should the analyst focus on to improve the efficiency of the alert response and remediation process?
Focus on enhancing validation and quarantine processes in alert response. Validation reduces false positives, while quarantine isolates the source of indicators to manage potential incidents.
What leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature?
DomainKeys identified mail (DKIM)
What checks to define rules for handling messages, such as moving messages to quarantine or spam, rejecting them outright, or tagging the message?
Domain-based message authentication, reporting and conformance (DMARC)
What authentication method utilizes a physical device or software to generate secure, unique codes and offers convenience and strong security?
Security keys
A cybersecurity responder surreptitiously monitors the activities of a hacker attempting infiltration. During this time, the cybersecurity responder prepared a containment and eradication plan. This is an example of what type of threat-hunting technique?
Maneuvering
A tech firm’s cybersecurity analyst investigates anomalies detected on the company’s Linux servers. These anomalies suggest unauthorized activities that could lead to data exfiltration. The analyst gathers evidence from various data sources and traces the root cause. Which combination of data sources should the analyst focus on, considering the nature of the anomalies and the operating system in question?
Linux’s /var/log/auth.log provides information about login attempts and sudo privileges. Host-based intrusion detection system logs, System Information and Event Management (SIEM) tool reports.
A Security Operations Center (SOC) manager notices a significant increase in unclassified events on the incident handler’s Security Event and Incident Management (SIEM) dashboard. At the same time, someone or something raises the number of incidents. Which combination of data sources would provide the MOST comprehensive view to support the manager’s investigation?
Operating system (OS)-specific security logs reveal system-level activities, while application and service logs on hosts provide application activity information. Security Information and Event Management (SIEM) tool reports summarize incidents.
The intrusion detection system (IDS) reports multiple instances of an internal host attempting to connect to an unusual external port. Which data sources would BEST assist the analyst in confirming an allowed or denied connection and identifying potential adjustments to security controls?
Firewall logs.
A network security engineer at a multinational corporation monitors the company’s network traffic using Security Event and Incident Management (SIEM) dashboard when the engineer notices an unusual surge in data flow from the company’s internal network to an unknown external internet protocol (IP). The engineer suspects data exfiltration. To trace the traffic source and identify potentially compromised systems, which combination of data sources should the engineer primarily focus on?
System Information and Event Management (SIEM) reports offer a summarized view of incidents, data loss prevention system logs can reveal potential data leakage, and operating system (OS) logs can provide insights into system-level activities.
System Information and Event Management (SIEM) reports offer a summarized view of incidents, data loss prevention system logs can reveal potential data leakage, and operating system (OS) logs can provide insights into system-level activities. Which combination of data sources would provide a balanced perspective to support the investigation?
Security logs from specific systems and third-party applications provide insights into system and application operations. Real-time threat intelligence feeds from the SIEM solution to summarize incidents.
A digital forensics analyst at a healthcare company is investigating a case involving a potential internal data breach. The breach has led to unauthorized access and potential exposure of sensitive patient information. The company uses a Security Information and Event Management (SIEM) tool that aggregates and correlates data from multiple sources. Given the nature of the breach, which combination of data sources should the analyst primarily consider for their investigation?
Client and server host operating system (OS) logs reveal system-level activities, while application and endpoint logs provide application usage and end-user activity insights.
